Introduction

A recent decision by the UK financial services regulators, the Financial Conduct Authority and the Prudential Regulation Authority, to fine a retail bank serves as a reminder to both customers and suppliers in the financial services sector to ensure that their services and contracts include adequate safeguards.

Background

On 29 May 2019, R. Raphael & Sons plc., a UK independent retail bank, was subject to separate fines of GBP775,100 from the FCA and GBP1,112,152 from the PRA, resulting in a combined fine of GBP1,887,252 for failing to manage its outsourcing arrangements properly between April 2014 and December 2016. It was found that Raphael had failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers – namely the card programmes in which it participates and for which it relies heavily on outsource service providers to perform many of the services and functions which are critical to the operation of the card programmes, including the authorisation and processing of card transactions. In particular, Raphael did not know how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphael's operational resilience and exposed its customers to a serious risk of harm.

Under the PRA Rulebook and FCA Handbook, if a firm chooses to outsource certain functions and services to third parties, the outsourcing firm retains full accountability for discharging their regulatory obligations and cannot delegate them to other parties. In particular, when relying on a third party for the performance of critical operational functions, firms must ensure that they have taken reasonable steps to avoid undue additional operational risk. For these purposes, an operational function is regarded as critical if (among other things) a defect or failure in its performance would materially impair the soundness or the continuity of its relevant services and activities.

On 24 December 2015, a technology incident occurred at a third party card processor and there was a complete failure of the authorisation and processing services the third party provided to Raphael. This failure lasted over eight hours, during which period, 3,367 customers were unable to use the prepaid cards and charge cards forming part of Raphael's card programmes. In total, the third party processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online. In addition, many seasonal workers, who depended on Raphael's card programmes to receive their wages were affected by the incident. The timing of the incident, on Christmas Eve, is likely to have exacerbated the impact of the outage.

Raphaels' specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level down. The joint FCA and PRA investigation identified weaknesses throughout the firm's outsourcing systems and controls which Raphael ought to have known about since April 2014. These included a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers. Raphael's outsourcing arrangements continued to be inadequate until the end of 2016, by which time Raphael had designed new outsourcing policies and procedures to remedy the failings.

Raphael agreed to resolve this matter and therefore qualified for a 30% reduction in the fines imposed by both regulators, otherwise the combined fine imposed by the FCA and PRA would have been GBP2,709,574. For businesses looking to outsource regulated activities to third parties, this case demonstrates the importance of setting up outsourcing arrangements in a way that is both thoughtful and that enables the outsourcing entities to understand and be capable of implementing a "Plan B" should there be issues with the outsourced service delivery. Coupled with the Bank of England's, FCA's and the PRA's joint focus on operational resilience, it is essential that regulated entities ensure their outsourcing contracts give them the ability (in terms of practical steps and also an understanding of the operation) to take appropriate steps to mitigate and remediate any service interruption.

The case is also relevant to fintechs and other businesses looking to supply their services to banks and other regulated entities - especially where the service or solution affects regulated activities. It highlights why their customers will want to understand the supplier's operational resilience and disaster recovery arrangements and why they look to include provisions on disaster recovery, business continuity and other provisions in their contracts. Businesses looking to bring new technology solutions to the Financial Services market could gain a competitive advantage by ensuring that their operations and contract terms include the protections which customers will expect.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.